CilContainers - SELinuxProject/cil GitHub Wiki

CIL Policy Containers

CIL policy container statements create groups of statements for the purposes of namespacing, reuse, and configuration.


Block

Blocks declare new namespaces and allow the addition of policy constructs to that namespace. Blocks are used for the namespacing of declared symbols and are not directly translated into an object in the policy binary.

'''Syntax:'''

	(block block_name
		cil_statements
		...)

'''Syntax Explanation:''' block:: The keyword for the block statement. block_name:: The name of the new namespace being declared. cil_statements:: 0 or more cil policy statements.

'''Example:'''

	(block apache
		(type process)
		(type log)
		(allow process log (file (read write))))

	(class file (read write execute))

Optional

Optional rules are used to define a set of rules that might (expectantly) fail because types are defined in another CIL policy file that doesn't exist. If at any point the declaration for a symbol cannot be found, the optional rule is disabled.

'''Syntax:'''

	(optional optional_name
		cil_statements
		...)

'''Syntax Explanation:''' optional:: The keyword for the optional statement. optional_name:: The name of the optional block. This name does not affect the namespacing of cil_statements, but provides a reference to the optional and its content. cil_statements:: 0 or more cil policy statements. Tunable and Macro declarations are not permitted in optional statements.

'''Example:'''

	(class file (read write append))

	(block foo
		(type log)
		(macro read_logs ((type a))
			(allow a log (file (read)))))

	(block bar
		(type log)
		(macro read_logs ((type a))
			(allow a log (file (read)))))

	(block foobar
		(type process)

		; optional that succeeds
		(optional my_opt
			(call .foo.read_logs(process))
			(call .bar.read_logs(process)))

		; this optional fails since append_logs does not exist in bar, and none of its contents will
		; be included in the binary policy
		(optional bad_opt
			(call .foo.read_logs(process))
			(call .bar.append_logs(process))))
		

Macro

Macros are used to partially specify a set of policy statements and allow those statements to be instantiated later using parameters at the call site to produce fully specified policy. Macros and tunables cannot be defined inside of macros.

'''Syntax:'''

	(macro macro_name ((type param1) (type param2) (type param3))
		cil_statements
		...)

'''Syntax Explanation:''' macro:: The keyword for the macro statement. macro_name:: The name of the macro block. This name does not affect the namespacing of cil_statements, but provides a reference to the macro and its content. parameters:: The macro contains a list of parameters (the outer parentheses). Each parameter (the inner parentheses) consists of a pairing of the keyword of the type of the object expected and a parameter name. If the macro does not require parameters, an empty list () is required. The permitted parameters types are:

  • type - types, typeattributesets, typealiases (cannot be anonymous)
  • role
  • user
  • sensitivity
  • category
  • categoryset (named / anonymous)
  • level (named / anonymous)
  • levelrange (named / anonymous)
  • class
  • classmap
  • ipaddress (named / anonymous)
  • permissionset (named / anonymous)
  • classpermissionset (named / anonymous)
  • boolean

cil_statements:: 0 or more cil policy statements.

'''Example:'''

	(class file (read write open getattr))

	(permissionset read_perms (open read getattr))

	; With parameters
	(macro m1 ((type foo) (permissionset perms))
		(type bar)
		(allow foo bar (file (perms))))

	; Without parameters
	(macro m2 ()
		(type log)
		(type log2))

	(type a)
	(call m1 (a read_perms))
	(call m2)

Tunableif

Tunableif is a compile time conditional statement and does not directly translate into the binary policy. If the tunable expression evaluates to True, the statements in the true block are added to the parent of the tunableif statement. If the tunable expression evaluates to False, the statements in the false block are added to the parent. The tunableif statement must contain at least one block (true or false) and no more than 2 different blocks (true and false). Tunableif statements are the first statements processed by the compiler, are not affected by other statements, and can be located in any policy container.

'''Syntax:'''

	(tunableif expr
		(true
			cil_statements
			...)
		(false
			cil_statements
			...))

'''Syntax Explanation:''' tunableif:: The keyword for the tunableif statement. expr:: A single tunable or an expression (enclosed in parentheses) using prefix notation. Expressions can be nested. The permitted expression operators and syntax:

   (and expr expr)
   (or expr expr)
   (eq expr expr)
   (neq expr expr)
   (xor expr expr)
   (not expr)

cil_statements:: 0 or more cil policy statements. Tunable declarations are not permitted in tunableif statements.

'''Example:'''

	(tunable tunable1 false)
	(tunable tunable2 true) 
	(tunable tunable3 true)

	(class file (read write execute))
	(type foo)
	(type bar)

	; Single tunable
	(tunableif tunable1
		(true
			(allow foo bar (file (read write execute))))
		(false
			(allow foo bar (file (read)))))

	; Tunable expression
	(tunableif (and (or tunable1 (not tunable2)) tunable3)
		(true
			(allow foo bar (file (read write execute))))
		(false
			(allow foo bar (file (read)))))

	; Only one block
	(tunableif (and tunable1 tunable2)
		(true
			(allow foo bar (file (read write execute)))))

	(tunableif tunable1
		(false
			(allow foo bar (file (read)))))

Booleanif

Booleanif is a run time conditional statement and is directly translated into the binary policy.

'''Syntax:'''

	(booleanif expr
		(true
			cil_statements
			...)
		(false
			cil_statements
			...))

'''Syntax Explanation:''' booleanif:: The keyword for the booleanif statement. expr:: A single boolean or an expression (enclosed in parentheses) using prefix notation. Expressions can be nested. The permitted expression operators and syntax:

   (and expr expr)
   (or expr expr)
   (eq expr expr)
   (neq expr expr)
   (xor expr expr)
   (not expr)

cil_statements:: 0 or more cil policy statements. Due to kernel limitations, the only valid statements are:

  • allow
  • auditallow
  • dontaudit
  • typetransition
  • typechange
  • typemember

'''Example:'''

	(boolean boolean1 true)
	(boolean boolean2 false)
	(boolean boolean3 true)

	(class file (read write execute))
	(type foo)
	(type bar)	

	; Single boolean
	(booleanif boolean1
		(true
			(allow foo bar (file (read write execute))))
		(false
			(allow foo bar (file (read)))))

	; Boolean expression
	(booleanif (and (or boolean1 (not boolean2)) boolean3)
		(true
			(allow foo bar (file (read write execute))))
		(false
			(allow foo bar (file (read)))))

	; Only one block
	(booleanif (and boolean1 boolean2)
		(true
			(allow foo bar (file (read write execute)))))

	(booleanif boolean1
		(false
			(allow foo bar (file (read)))))

In

In allows the author to insert statements into the namespace of a named container (block, macro, or optional).

'''Syntax:'''

	(in container
		cil_statements
		...)

'''Syntax Explanation:''' in:: The keyword for the in statement. container:: The block, macro, or optional to be entered. cil_statements:: 0 or more cil policy statements.

'''Example:'''

	(class file (read))

	; Single boolean
	(in blk1
		(call my_macro)
		(allow foo bar (file (read))))

	(block blk1
		(type bar)
		(macro my_macro ()
			(type foo)))
⚠️ **GitHub.com Fallback** ⚠️